Session Cookies Being Overwritten Browsing From SSL to Non SSL

Similar Messages

• How to set a cookie in the browser from an html page called via an Iview

  How to set a cookie in the browser from an html page called via an Iview
  Hello all,
  I have an issue which is causing problems. I have a snap survey (html form with submit and cookie setting) which is embedded in a url iview.
  Although the submit and the form work fine, the portal will not allow the cookie to be set it seems.
  Is there a way to allow cookies to be set from an embedded page in a url iview??
  You will make my day if you know!
  System: EP7 SP13
  Kind regards
  Alex

  Hi,
  Check this:
  http://www.oracle.com/technology/products/ias/portal/html/same_cookie_domain_with_pdkv2.html
  Cookie Basics
  Web browsers have built in rules for receiving and sending cookies. When a browser makes a request to a web server and the web server returns cookies with the response, the browser will only accept a cookie if the domain associated with the cookie matches that of the original request. Similarly, when a browser makes a subsequent request, it will only send those cookies whose domain matches that of the target web server.
  These rules are designed to ensure that information encoded in cookies is only "seen" by the web server(s) that the originator of the cookie intended. These rules also ensure that the cookie cannot be corrupted or imitated by another server. By default, the domain associated with a cookie exactly matches that of the server that created it. However, it is possible to modify the domain at the time the cookie is created. Relaxing the cookie domain increases the scope of the cookie's visibility making it available to a wider "audience" of web servers.
  For example, if a cookie is created by a.us.oracle.com, it's domain will usually be set to a.us.oracle.com. This means that the browser will only send the cookie to a.us.oracle.com. It will never send it to any other servers. However, if at the time of creation, the domain of the cookie is set to .us.oracle.com, the browser will send the cookie to any server whose domain falls within .us.oracle.com. such as portal.us.oracle.com, provider.us.oracle.com, app.us.oracle.com etc
  Regards,
  Praveen Gudapati

• How do i know the ssl over non ssl

  Hello Gurus,
  Your answer is greatly aprreciaied ;
  a)
  https://ebusdockel.9dc.com:243/DockerMasterAJX/services/DockerMaster
  b)
  http://ebusmodel.9dc.com/DockerMasterAJX/services/DockerMaster
  How do to dtermine from the above 2 URLS difference betwenn SSL and non SSL ,your answer is appreciated.

  Hi,
  There is a way within Forms to programmatically tell whether users are in SSL or not - if you're in 11g Forms. You can use the new 11g javascript built-ins to execute javascript. Javascript will pull the URL and return it to as a VARCHAR. Then you can have PL/SQL logic to see if the url contains "https" or "http", then you can execute whatever logic you want.
  The PL/SQL Built-in you want to use is: web.javascript_eval_function
  The javascript command you want to run is: document.location.href
  If you are looking for a way to force users to go to SSL, there are some options you can do with OHS(Oracle HTTP Server) - which comes with the 11g Forms.
  I hope this helps.
  Thank you,
  Gavin
  http://pitss.com/us

• APEX Security: Multiple session cookies in one browser

  Hi all,
  I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
  When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
  Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
  Regards

  Hi PaulP,
  it's simple.
  Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
  If not installed, install Microsoft .NET Framework 4 Client Profile.
  Configure bsApex.exe.config
  <?xml version="1.0" encoding="utf-8" ?>
  <configuration>
    <appSettings>
      <!-- Application Title -->
      <add key="aTitolo" value="Apex Desktop by Beta Software snc" />
      <!-- Short application title -->
      <add key="aTitoloBreve" value="Apex Desktop" />
      <!-- Window height -->   
      <add key="aAltezza" value="960" />
      <!-- Window width-->
      <add key="aLarghezza" value="1200" />
      <!-- Close botton text -->
      <add key="aChiudi" value="Close" />
      <!-- Print botton text -->
      <add key="aStampa" value="Print" />
      <!-- Application icon-->
      <add key="aIcona" value="bsApex.ico" />
      <!-- Client -->
      <add key="aCliente" value="Apex Community" />
      <!-- Application address -->
      <add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
    </appSettings>
  </configuration>Run bsApex.exe, that's all.
  Regards,
  Gianluigi

• Portal session not being terminated. browser "unload" event

  This line of code is in the portallauncher.default and eventually causes the problem:
  EPCM.subscribeEvent("urn:com.sapportals.portal:browser", "unload", releaseProducerSessions);
  releaseProducerSessions eventually calls a portal component
  WSRPSessionRelease.. which is causing the problem.
  When we upgraded from EP 6.0 to NW 2004, users started recieving the Netweaver Login Screen when they logged out and logged back in, in the same browser. We think this error occurs because NW 2004 implements Web Services Remote Portal functionality.
  We are using SiteMinder as a third party session management tool.
  What we found was that the Siteminder session was being killed but the Portal session was not. Therefore, when users logged back in they would see the generic Netweaver Login Screen, and they could actually just hit "enter" and continue to the portal.
  A successful logoff, users clicked the logoff button, the DSM terminator was being called, thus killing the portal session, then a form was submitted redirecting the users the the siteminder loggoff page, which logs the users off siteminder.
  When the logoff failed, we found that after the DSM Terminator was called
  and before the page was being redirected, a portal component
  (WSRPSessionRelease) was being called, which in turn, RECREATED the portal session. So the user never actually gets logged off from the portal.
  We found that the WSRPSessionRelease component is set to
  a "browser" "unload" event when the portallauncher.default component is first loaded. This is the same component that is being called when the user clicks the "X" to force close the browser.
  Not everytime is the WSRPSessionRelase component being called before the redirect to the siteminder logg off page. Sometimes this component is called after the redirect, and we find that this is a successful loggoff.
  The component is:
  irj/servlet/prt/portal/prtroot/com.sap.portal.wsrp.coreconsumer.WSRPSessionRelease

  Hello Michael,
  The 'log off' issue is a known issue with Portal since EP 6
  Had faced similar issue and SAP suggests to redirect the 'log off' link to another non-SAP site...like your company intranet site.
  This will help the session to break.
  There are 1-2 SAP Notes on this as well.
  Hope this helps.
  Regards,
  Ritu

• Mixing ssl and non ssl jsp pages.

  Hi,
  I am new to Weblogic 8.1 and I would like to learn how to setup few jsp pages in https:// and few pages to be served in http:// protocol.
  I have created a managed server using 7004 for http and 7040 for https. Currently I have 2 jsp pages index.jsp and test.jsp and both the pages can be accessed using http:// or https://
  I wanted to make test.jsp work only with https:// and not work with http:// How do I configure this?
  In realtime webapplications. How is switching of http and https working? Are the URL's hard coded in the controller servlet?
  Some tips would be helpful.
  Uma

  Hi,
  To do this task do the following,
  1. Create a property file in your application. for example let us take myapp.properties
  2. include the following to the myapp.properties file
  #sslport=7002
  #nonsslport=7001
  #serverip=127.0.0.1
  #ctpath=myApp
  # In your case
  sslport=7004
  nonsslport=7040
  serverip=127.0.0.1
  # ctpath is the web deployment directory
  ctpath=yourapp
  3. Create a class to read the property file say PropertyReader.java and implement the following
  String sslport=Properties.getProperty("sslport");
  String nonssl=Properties.getProperty("nonsslport);
  String serverip=Properties.getProperty("serverip);
  String cpath=Properties.getProperty("ctpath");
  4. initialise the propertyReader class and
  in the property class keep following variables in admin session data
  String sslpath="https://"+serverip+":"+sslport+"/"+cpath
  String nonsslpath="http://"+serverip+":"+nonsslport+"/"+cpath
  5. use these variables for ssl or nonssl
  response.senRedirect(sslpath+"/bank.jsp"); //for ssl
  response.sendRedirect(nonsslpath+"/welcome.jsp"); //for non ssl
  like the same way
  Regards,
  Nishant Kulkarni

• Bulk changing all websites from SSL to non-SSL (443 to 80)

  While I was cleaning up my Mountain Lion Server, I innocently updated some SSL server certificates.
  Shortly afterwards, I found that ALL my HTTP (80) sites didn't work. I went into the Server.app and found that ALL my sites were now using port 443, rather than the port 80 that they were running on.
  Since I have over 100 sites, I need to know how to BULK update them back by removing the certificate they were assigned when I updated that specific cert.
  How did I update the certificate? I was looking at the Alerts section of the Server.app, that told me that some were expiring. There was a Replace button and that's what I clicked. I was never warned that it would change ALL my sites from having NO certificate to the certification that I replaced.
  Any ideas on how to resolve this issue quickly, without having to open up EACH site and change the certification to NONE (and thus changing the port back to 80)?

  There's no bulk update via the GUI [1], which leaves shutting off Server.app and mass-editing the Apache data.
  For a bulk change of 443 to 80, something like this should get you started. 
  FWIW, Do also confirm whether the port 80 sites are still around in the configuration data, as some web browsers are now selecting 443 whenever that's available.
  [1] Yes, I'm probably ignoring scripting via AppleScript here.  If I have to script something, it'll be the Apache data and not the GUI, and using bash, Python or other such and likely not AppleScript.  Local preference.

• Separating SSL and non-SSL transactions

  What's the best way to separate SSL andnon-SSL transactions in a single web app?Ie when the user logs in, the login formis submitted over an SSL connection, butfrom then on only certain pages/forms useSSL. If there's one JVM with the sessioninfo, how can we be sure what needs to besecured goes thru the SSL server?

  javax.servlet.ServletRequest method isSecure() - "Returns a boolean indicating
  whether this request was made using a secure channel, such as HTTPS."
  Chris Scott wrote:
  >
  What's the best way to separate SSL andnon-SSL transactions in a single web app?Ie when the user logs in, the login formis submitted over an SSL connection, butfrom then on only certain pages/forms useSSL. If there's one JVM with the sessioninfo, how can we be sure what needs to besecured goes thru the SSL server?

• Using SSL and non-SSL

  We are running 4.12 on Solaris 8 with SSL enabled. However, we would also
  like this server to accept queries on 389 for portions of the tree. An
  example would be that a username and phone number could be queried via 389,
  but an employee ID could only be queried by an authenticated user. Does
  anyone have any guidance on this or could point me to some documentation
  relating to this. Thanks in advance.

  Hi Ryan,
  You probably want to look at the "Managing Access Control" chapter of the
  Administrator's Guide.
  More specifically, have a look at the "Access Based on the Authentication
  Method"
  (http://docs.iplanet.com/docs/manuals/directory/41/admin/acl.htm#997696) and
  the "Defining permission based on the Authentication Method"
  (http://docs.iplanet.com/docs/manuals/directory/41/admin/acl.htm#998706)
  sections.
  I hope this helps.
  Bertold
  "Ryan Kean" <[email protected]> wrote in message
  news:9r967v$[email protected]..
  We are running 4.12 on Solaris 8 with SSL enabled. However, we would also
  like this server to accept queries on 389 for portions of the tree. An
  example would be that a username and phone number could be queried via389,
  but an employee ID could only be queried by an authenticated user. Does
  anyone have any guidance on this or could point me to some documentation
  relating to this. Thanks in advance.

• CFID and CFTOKEN Being Deleted from Session Cookie

  I can't believe that no one else has run into this - but I
  have found nothing on the internet.
  When I copy a piece from a web page that is generated by my
  coldfusion server, and paste it into a word document, the session
  cookie is altered, and the CFID and CFTOKEN information is deleted,
  so I lose my login. Recently, I've developed a problem on a
  different application - when I open a word document that is stored
  on the server, using CFCONTENT, same thing happens - the cookie is
  altered, CFID and CFTOKEN are deleted, and I lose my login.
  I'm tearing my hair out. Has anyone seen this behaviour, any
  ideas as to why this would occur? Any ideas as to how to get around
  it?

  Here's my CFAPPLICATION tag:
  <cfapplication name="DashBoard"
  clientmanagement="Yes"
  sessionmanagement="Yes"
  setclientcookies="Yes"
  clientstorage="cookie"
  loginstorage="session"
  sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
  Not sure what you mean by application sections. It's one
  application.
  I don't refer to the cookie in any other way. It's there only
  to do what CF does with it - maintain the information that's used
  to find the session.

• Is there any way to prevent fields from being overwritten when importing data via xdp-file?

  In an pdf-form designed with LCD everytime the form gets merged with an xdp-datafile content of all fields get overwritten, regardless which data-binding (normal, global, none) is assigned to the fields and regardless if the fields are exluded in the xdp-datafile. Is this normal behavior and is there any way to prevent fields from being overwritten?

  The xdp-file is first exported from Acrobat Professional 8 (export data as *.xdp) to get the complete structure. Then in the xdp-file some fields are removed manually and other fields are filled with data. When the modified xdp-file is opened again with Acrobat Professional 8 it grabs the original pdf-form and merges the manually filled fields into the form. With the merge all other fields in the form are overwritten, even if they are not defined in the xdp-file. And that is what I want to avoid. I want to merge the xdp-file into the form and keep the data in fields not defined in the xdp-file.

• I just updated my Firefox browser to Firefox 8. I am a college student and practice with HTML and CSS for class assignments. The fonts in all my html documents are being overwritten online by your script typeface. How do I resolve this issue?

  I just updated my Firefox browser to Firefox 8. I am a college student and practice with HTML and CSS for class assignments. The fonts in all my html documents are being overwritten online by your script typeface. I did not have this issue in the older version. I use an iMAC running OS10.6.8. How do I resolve this issue?

  Starting with this, you have errors in your CSS code.
  body {
    margin-top: 0px;
    margin-right: 0px;
    margin-bottom: 0px;
    margin-left: 0px;
    color: 151515;
    font-family: "Gill Sans", "Gill Sans MT", "Myriad Pro", "DejaVu Sans Condensed", Helvetica, Arial, sans-serif;
    background-color: EFF5F8;
  body {
    margin:0;
    color: #151515;
    font-family: "Gill Sans", "Gill Sans MT", "Myriad Pro", "DejaVu Sans Condensed", Helvetica, Arial, sans-serif;
    background-color: #EFF5F8;
    font-size: 100%;
  Related links:
  Windows Chrome, why do my fonts look so bad? - Lee Green
  css3 - Bad font rendering Chrome - Stack Overflow
  Nancy O.

• Locking a cell to prevent it from being overwritten

  I want to create a table that restricts data entry to specific cells within the table, keeping cells with formulas that calculate data from being overwritten but I am not seeing any way to "protect" cells from inadvertent data entry. Putting an object over the top of a cell or range of cells and setting its opacity to 0 and then locking it keeps you from selecting the underlying cell with the mouse but you can still tab over to the cell with the direction keys and enter data. Is there a way to lock/protect a cell to keep it from being overwritten?

  b,
  This is an area that Numbers can't really address effectively. The designers don't seem to have considered the possibility of having a document designed by one user and used by others less knowledgeable or trustworthy or careful. If you don't like the workarounds that you found in other discussions your best course is to use another program for now and submit Feedback to Apple if you want to influence future development.
  Jerry

• I am loading Magic Jack. The error message I get is "Session cookies have been disabled for your web browser. Please enable session cookies so you can register your device." I have followed you process several times. This advice doesn't work. Pls help

  Session cookies have been disabled for your web browser.
  Please enable session cookies so you can register your device.
  The URL is not specified.

  Session cookies have been disabled for your web browser.
  Please enable session cookies so you can register your device.
  The URL is not specified.

• Within seconds, TWITTER Cookie Preference Settings change from SESSION to ALLOW. Vunerability exploit, or handshake?

  I've reset Cookie preferences a dozen or more times; removing the Twitter account completely and only "Allow for Session" cookies. Then when I check back, withing seconds, the Cookie Preferences change back to ALLOW.
  Twitter is the only website I've ever seen that's capable of doing this.
  This is either a vulnerability in Mozilla Firefox, or Twitter has 'made a deal' with Mozilla to allow special preferences.
  https://twitter.com/serr8d/status/393709767606013952

  If you use extensions like Ghostery that can block or otherwise affect cookies then make sure that such extensions aren't causing this issue.
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes
  Clear the cache and cookies only from websites that cause problems.
  "Clear the Cache":
  *Firefox/Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
  "Remove Cookies" from sites causing problems:
  *Firefox/Tools > Options > Privacy > Cookies: "Show Cookies"
  If clearing cookies doesn't work then it is possible that the <i>cookies.sqlite</i> file that stores the cookies is corrupted.
  Rename (or delete) <b>cookies.sqlite</b> (cookies.sqlite.old) and delete other present cookie files like <b>cookies.sqlite-journal</b> in the Firefox profile folder in case the file cookies.sqlite got corrupted.
  *http://kb.mozillazine.org/Cookies
  *https://support.mozilla.org/kb/Deleting+cookies
  You can delete the permissions.sqlite file in the Firefox profile folder to reset all permissions.